How To Use SPF To Protect Your Domain From Spoofing

Many business owners are currently struggling to rebuild trust in their brand. This is because at one point or another, scammers have used their domain to scam many of their unsuspecting customers and subscribers. This has created a disconnect between them and their customers. Subscribers now hesitate to trust anything that comes from their domain. So, they are now losing sales they would have otherwise closed.

This doesn’t have to happen to you. You can join other smart email marketers and business owners using SPF to protect their domain from spoofing.

Table Of Contents

With Clickable Navigation

What Is SPF?

Why Do You Need SPF?

How Does SPF Work?

What Is SPF Record?

How Do I Create An SPF Record?

How To Verify Your SPF Record

SPF Verification Result Translation

Major Components Of An SPF Record

What Is SPF?

Sender Policy Framework (SPF) is an email authentication standard. A domain owner can use SPF to inform email exchange senders that are approved to send emails from their domain.

SPF has a record containing the list of IP addresses you approve for sending emails through your domain. You can find the SPF record in the Domain Name System (DNS).

Your Email Service Provider can identify forged sender addresses. They can do this by checking the record to verify the identity of the sender. They can then penalize imitation addresses.

Why Do You Need SPF?

People can send emails from their computers and claim that they’re from any source. Spammers are taking advantage of this opportunity to forge email addresses. They’re then using them for spoofing.

They do this by disguising themselves as a trusted source. From there, they are able to deceive the email receivers into reading their messages. Spoofing is intended to make people give away their confidential information. Because of this, the people behind it damage the reputation of the email address or domain name they forge.

As an email marketer or business owner, you will lose credibility if your domain is used for sending spoofing emails.

Some spammers may send unauthorized emails through your domain as well. If they do, your domain may be flagged as spam. Emails from a flagged domain won’t be allowed into the inbox folder. This will have a negative impact on your deliverability.

Set up an SPF record for your email address or domain name. When you do this, ESPs will recognize the domain as legit and won’t flag messages from the domain as spam. Plus, it will recognize emails sent from unauthorized hosts and flag such emails as spam.

By doing this, spammers are less likely to use your domain for spoofing. This ensures you will also avoid being blacklisted. This is one sure way to ensure your emails end up in your subscribers’ inboxes instead of spam folders.

If you don’t protect your domain with SPF, your ESP may mark emails from the domain as spam. You can prevent spammers from using your domain and improve your deliverability through SPF.

How Does SPF Work?

ESP verifies your SPF record before it delivers your messages to your subscribers. It reviews the domain in the Return Path or “envelope from” in the header.

It then compares the IP address you sent the message from, to the IP addresses in the domain’s SPF record. If the address is not listed in the record, the message will fail SPF authentication.

What Is SPF Record?

An SPF record is a record of all the approved users of your domain name. Messages from IP addresses that you didn’t list on your SPF record are from spammers.

How Do I Create An SPF Record?

You must create an SPF record for your domain first before an Email Service Provider (ESP) can use the record for verification. Follow the steps below to create the record without stress:

1. Collect the IP addresses

You must first collect the IP addresses that are used to send emails through your domain. This may include organizations or individuals that use third-party mail servers to send an email on your behalf. The list should cover all your mail servers.

You can check your ISP’s mail server, an in-office mail server, or your web server as likely IP addresses to include in the SPF record. If you’re using an ESP, reach out to them to obtain your sending IP address.

2. Compile A List Of Your Sending Domains

It is possible that your company has several domains registered in its name. You may use some of these domains for sending emails while you may not use others.

Create SPF records that contain both IP addresses you use regularly and those you don’t use for mailing. This is to prevent spammers from targeting the domains you don’t use if they can’t access the ones you use regularly.

Once you have a list of the sending domains, go ahead and create the SPF record.

3. Create the Record

You can define the record you want to create as SPF. This type of version begins with the version number in this format: v = spf 1. In this case, you have the first version of an SPF record.

Once you have included the version type, list the IP addresses you wish to let use your domain for sending emails on your behalf. For instance, v = spf1 ip4: 34.243.56. 357 ip6: 3ao9: do84: 851e, and so on.

If there are third-party organizations you use for sending out emails for your brand, include them as well. For instance, include: thesenderdomain.com. By including the third party, you have empowered it to send emails on your domain name.

Once you have successfully added the include tags and IP addresses, end the record with –all or ~all tag. This tag is very important in the SPF record. This is because it determines the best way to handle a server not listed in the SPF record. If the server sends a message via your domain, the action determined by the tag will be executed on the erring server. It may mark the email as spam or reject it.

If you define your SPF record properly, it will be in this form: v=spf1 ip4:34.243.61.237 ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e include:thirdpartydomain.com –all

When creating your SPF record, note that you can’t exceed 255 characters. But, if you must exceed the character limit while adding more IP addresses, use the include option. Add this to your SPF record this way: include: extra-1.example.com. Then create another TXT or SPF record for “extra.” Place another block of 255 characters in the new record. You can do this for as many blocks of IP addresses as you want.

You also can’t add more than 10 include tags. If you use more than the 10 DNS query limit, the record will produce an error and blank out as if you haven’t created any record.

Once you are done with the SPF record creation, publish it into the DNS.

4. Publish the SPF Record

When you publish the record into the DNS, Hotmail, Gmail, and other email service providers can have easy access to it. If your DNS provider provided you with a dashboard, use it to publish the record. Otherwise, ask the DNS provider to assist you to publish it.

If you want to publish it through your DNS manager, follow these steps:

  1. Visit your domain host provider’s website and log in to your domain account.
  2. Use the DNS management menu.
  3. Select the domain containing the records you want to change.
  4. Open the DNS Manager.
  5. Check the text section and create a TXT record.
  6. Write your domain name in the Host field.
  7. Input your SPF record in the TXT Value field.
  8. Specify the Time to Live (TTL). You may leave it at the default or enter 3600. The Time to Live refers to the lifespan of data stores in a network or a computer.
  9. Click “Add Record” or “Save” to publish the record into your DNS.

Note that it may take up to 48 hours before the record goes into effect.

If you can’t handle the publishing, contact your DNS server administrator for help. They will assist you with publishing to enable email providers to make easy reference to it.

If you are unsure of whether your ISP administers your DNS records, your IT department should be of help.

5. Test the SPF Record

When you are through with the record creation, test it. The test result will show you the list of all the servers that are authorized to use your domain to send an email. If the list doesn’t contain some of the IP addresses you authorized for sending emails, update your record.

How To Verify Your SPF Record

Your SPF record is only useful if it is valid. You can only learn its validity by running it through an SPF record testing tool.

With the tools, you can get the SPF record for your domain name and check it for validity. This includes checking whether the record has the right syntax that will make it valid. This test is important before you publish your records. If the record is not syntactically correct, it may be difficult for ESPs to reference it.

You can also test your record’s performance too. This test will cover the different IP addresses the mail may be sent from.

There are different tools for SPF record verification. They have a similar verification procedure.

There are several tools for checking an SPF record. You can use any of the tools for the verification.

The verification process follows the following format:

  • Go to the website.
  • Enter the domain name you want to check the SPF record for.
  • Click “Run Checks.”
  • Upon completion of the test, you will receive the result of the test with the list of several IP addresses.

SPF Verification Result Translation

The verification test will give you some results. These results give you a clue into your domain name’s performance.

  • None: There was no SPF record for the domain.
  • Neutral: The domain owner doesn’t want to state that it has authorized the IP address to send messages from the domain. This result receives the same treatment as the ‘None’ result. Such SPF records use the ? qualifier.
  • Pass: The IP address can send information from the domain.
  • Fail: The IP address is not authorized to use the domain.
  • SoftFail: The IP address may use the domain or may not use it.
  • TempError: There was a temporary error during the verification process. This may be caused by some technical issues during the exercise. This doesn’t imply that the SPF record is invalid.
  • PermError: The ESP can’t verify the published SPF record. This may be the result of a format or syntax error in the record itself.

Major Components Of An SPF Record

The SPF version number and some strings make up the SPF record. The strings include mechanisms, qualifiers, and modifiers.

SPF Mechanisms

The SPF record contains some mechanisms. Some of them are:

  • All: this mechanism is used for ~all and other default results. It matches for both remote and local IPs. It is usually at the SPF record’s end. Hence, the ESP should accept the message but classify it in the Soft Fail category.
  • A: the mechanism will match under the condition that the domain already has an address record that can be sent to the sender’s address. In a nutshell, it covers the IPs in the A record of the DNS. So, if someone uses your A record’s IP address to send an email, the message will pass.
  • IP4: It should match if the sender is within IPv4 address range. It may also refer to a single IPv4 address.
  • IP6: Sender in IPv6 address will make it match.
  • MX: It will also match if there is an MX record in the domain name. It covers all A and AAAA records for each of the MX records. There is a match if the email is from an IP address of the incoming mail servers of the domain.
  • EXISTS: Matching is positive if the domain name resolves to an address. This is regardless of the address the domain resolves to.
  • PTR: This specifies all the A records associated with the PTR record of each host.
  • INCLUDE: all authorized domains are specified with this mechanism.

For instance, “v=spf1 mx-all” indicates that the MX hosts of the domain should be allowed to send emails through the domain while other hosts are not allowed to do so.

SPF Qualifiers

Qualifiers are used to prefix mechanisms. There are four qualifiers. These four qualifiers are:

  • “+”: This signifies “Pass.” It informs the ESP to accept messages from the address because it passed the verification test. For example: “v=spf1+all.”
  • “-”: This is a Hard Fail: In this case, the address failed the verification test. ESP should bounce emails from such addresses.
  • “~”: Soft Fail: Although the address didn’t pass the test, there is no definitive result about it. Thus, the ESP may accept non-compliant emails and tag them. For example: “v=spf1~all”
  • “?”: The address neither passes nor fails the test. In this case, the ESP may do whatever pleases it with the address. It may accept or reject it. For example: “v=spf1?all”

Note that the “+” will be the default option if you don’t include a qualifier.

SPF Modifiers

Modifiers are added to an SPF to provide extra information about it. There are two major modifiers:

  • “Redirect” This modifier comes in handy when you have more than a domain. It’s also handy when you want to use the same SPF content on all the domains. The modifier is good if you are the one managing all the domains. Alternatively, you can use the “include” if you are not. It takes this form: redirect =some.domain.com
  • “Exp” sometimes, a matched mechanism can have a Fail qualifier. This modifier comes in handy. Its major function is to provide an explanation for such a problem.

Modifiers are usually placed after the SPF record.

SPF, DKIM, and DMARC

Do you want a fool-proof system that protects from spoofing and its negative effects? Consider using SPF with other tools such as DMARC and DKIM.

DMARC

DMARC stands for Domain-Based Message Authentication, Reporting, and Conformance. It allows you to specify how your ESP should handle messages that appear to come from your domain.

You confirm all the domains that are allowed to send messages. DMARC provides information on how to authenticate your sender’s domain. It also helps with how to deal with suspicious emails.

It recommends three ways of handling suspicious emails. The ESP may not take any action on the email or mark it as spam. In the meantime, it keeps the message to enable it to process it better.

It may also inform the ESP to reject the email. This will help you keep your credibility. It will help ease any worries over whether someone is using your domain name for sending information.

DKIM

DKIM stands for DomainKeys Identified Mail. It is a standard that ensures the message you send out is not altered before it reaches its destination.

DKIM enables you to sign the outgoing message as coming from your domain with a unique signature. You can use this when sending emails to your subscribers. Subscribers can verify the source of the email with the signature. So, if an email claims to come from your domain, they can easily check to confirm whether you sent the message or not.

DKIM also enables ESPs to identify the source of a message and confirm whether it is valid or not.

When they receive an email, they check the DKIM header to confirm its validity. They can also determine the next line of action once they have enough information about the source.

SPF does a good job at protecting your domain from spoofing. When used together with DKIM and DMARC, they will help you block potential loopholes that spammers may want to exploit.

This will improve your domain’s credibility and boost your delivery rates.

Let’s Get In Touch

Need help setting up SPF, DKIM, or DMARC? Our Managed Services team would be happy to assist. Get in touch today!

Email Blacklists: How You End Up On Them & How You Get Off Them

An email blacklist is real-time, automated databases that use specific criteria in determining if an IP is sending spam emails. Email blacklists are also known as DNS-based Blackhole Lists. There are a number of blacklists in the industry, including SpamCop,...

Email Deliverability 101: Terminology and Lingo

Being a successful email marketer in today's digital landscape is challenging --- with continually evolving regulations and changes in ISP requirements, ongoing learning is a must.  Keeping up with all the changes, vocabulary, and best practices in email...

Inbox Deliverability Has a New Look

MailMonitor's Analytics Platform You aren’t imagining it…the MailMonitor Seed Testing and Sender Reputation App has a new look just in time for Fall!  And there is more to our new look than meets the eye: Graph displays make reviewing reports easier and provide...

An Introductory Guide to Spam Traps

What Are Spam Traps? Spam traps are used by blacklist and inbox providers to detect and catch malicious email senders. It is common for legitimate senders to find themselves becoming a victim of spam traps unclean email data, inappropriate subject lines and poor...

Preview and Rate Marketing Emails Before Sending

Let’s be honest here – how many times have you discovered, after sending out marketing emails to your subscribers, an embarrassing typo or that you completely missed out on inserting a link to a button? Happens to the best of email marketers out there! What might...

Guide to Spam Proof Email Marketing: Part 1 – Why Email Marketing

Welcome to our six-part series, "Your Guide to Spam Proof Email Marketing."  As your partners in email deliverability, we want to help you create email marketing campaigns that succeed, which is why we created this series. Our series will be broken into the...

Marketing Email Deliverability Tips for Success

Email deliverability is more than just a buzzword marketers toss around.  It's at the core of any successful marketing strategy.  If your email deliverability rate is low, then chances are your marketing emails aren't reaching your target audience. It's time to...

Guide to Spam Proof Email Marketing: Part 6 – Automate Your Email Marketing

You’ve made it to the last blog in our series, 'Your Guide to Spam Proof Email Marketing'!  Now let’s wrap things up with the final steps and tips you need to know to create amazing, spam-proof email marketing campaigns. It's time to automate your email...

How to Create a Successful Email Re-Engagement Campaign

Your relationship with your subscribers goes through all the stages of any other relationship in your life. At the start, your subscribers are usually extremely excited about your emails and your offerings and look forward to anything that you send their way. All...

Email Delivery Tips for Marketing to Comcast Users

Comcast Corporation is a global telecommunications conglomerate headquartered in Philadelphia, Pennsylvania.  It is the largest broadcasting and cable television company in the world and is the leading email delivery/ISPs in the United States. Comcast has a separate...